CVE-2026-3635
Awaiting Analysis Awaiting Analysis - Queue
Header Spoofing in Fastify trustProxy Causes Security Bypass

Publication date: 2026-03-23

Last updated on: 2026-04-16

Assigner: openjs

Description
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection β€” including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers β€” this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3635
EUVD
EUVD-2026-14431
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastify fastify to 5.8.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3635 is a vulnerability in the Fastify web framework versions up to 5.8.2 that occurs when the trustProxy option is configured with a restrictive trust function, such as specifying a single IP address, a subnet, a hop count, or a custom function.

Under these restrictive configurations, the request.protocol and request.host getters incorrectly read the X-Forwarded-Proto and X-Forwarded-Host headers from all incoming connections, including those from untrusted IP addresses.

This flaw allows an attacker who connects directly to the Fastify server, bypassing the trusted proxy, to spoof the protocol and host values that the application sees.

Impact Analysis

Applications that rely on request.protocol or request.host for security decisions are affected by this vulnerability when using restrictive trustProxy configurations.

  • It can undermine HTTPS enforcement, allowing an attacker to spoof the protocol.
  • It can affect secure cookie flags, potentially exposing cookies that should be secure.
  • It can bypass CSRF origin checks by spoofing the host.
  • It can cause incorrect URL construction or host-based routing decisions.
Compliance Impact

I don't know

Detection Guidance

This vulnerability occurs when the Fastify server is configured with a restrictive trustProxy setting and improperly reads X-Forwarded-Proto and X-Forwarded-Host headers from untrusted connections. To detect it, you can check your Fastify server configuration for the trustProxy option and verify if it uses a restrictive trust function such as a specific IP, subnet, hop count, or custom function.

Additionally, monitoring incoming requests that include X-Forwarded-Proto or X-Forwarded-Host headers from IP addresses that are not part of your trusted proxy list can help identify attempts to exploit this vulnerability.

While no specific commands are provided in the available resources, you can use network monitoring tools or log analysis to filter requests with these headers coming from untrusted IPs.

For example, using command-line tools like tcpdump or tshark to capture HTTP headers, or grep to search server logs for suspicious X-Forwarded-Proto or X-Forwarded-Host headers from unexpected IP addresses, may help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Fastify to version 5.8.3 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, review and adjust your trustProxy configuration. Avoid using restrictive trust functions that specify single IPs, subnets, hop counts, or custom functions that may cause the server to trust forwarded headers from untrusted sources.

Alternatively, setting trustProxy to true (trust all proxies) is not vulnerable to this issue, but this may not be suitable for all environments.

Also, consider implementing additional network-level protections to ensure that only trusted proxies can connect to your Fastify server, such as firewall rules or network segmentation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart